Summary

  • A security consulting giant Kroll disclosed that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms.

  • The attack targeted a T-Mobile phone number belonging to a Kroll employee and resulted in the transfer of that employee’s phone number to the threat actor’s phone.

  • As a result, the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.

  • People with stolen data are being subjected to phishing attacks.

Minimizing Reliance on Phone Company for Security

  • The SIM-swapping attack against Kroll is a reminder that we should not rely on mobile phone companies for our security.

  • Many online services allow users to reset their passwords by clicking on a link sent via SMS. This means that if someone gains control of your phone number, they can also gain access to your online accounts.

  • To protect yourself, you should remove your phone number from any online services that allow password reset using the phone number, starting with important accounts.

  • If you cannot remove your phone number from an online service, you should check to see if there is an option to disable SMS or phone calls for authentication and account recovery. Use a security key or a one-time code from a mobile authentication app instead of SMS for authentication.

SIM-swapping

  • SIM-swapping is a type of attack where the attacker tricks a mobile carrier into transferring a victim’s phone number to a device that they control.

  • This gives the attacker access to the victim’s SMS messages and phone calls, which can be used to reset passwords, gain access to online accounts, and commit other types of fraud.

  • SIM-swapping attacks are becoming increasingly common, and they have been used to steal millions of dollars from victims.

  • Mobile providers may not be liable for financial losses caused by SIM-swapping attacks. In a 2023 case, a California judge dismissed a lawsuit against AT&T for a 2017 SIM-swapping attack that resulted in the theft of more than $24 million in cryptocurrency.